Lightbox layout is not retrieved

[jinlarse]

The Lightbox is not working anymore, running Wordpress 5.8.1

Details

• URL of Page exhibiting problem: https://www.dagsturhelgeland.no/unstad/
• Browser(s) exhibiting problem (Firefox, Chrome, etc.): I have tried Chrome and safari, not working
• Version of SLB Installed: 2.8.1
• Other plugins installed: Ajax Search, Akismet Anti-spam, Autoptimize, Autoptimize CriticalCSS.com Power-Up, Google Analytics for WordPress by MonsterInsights, Klassisk redigering, Kontaktskjema 7, Simple Lightbox, The SEO Framework, WP Super Cache

[BenTalagan]

Seeing the same problem without updating anything (neither wordpress nor any plugin). Lightbox was working a few days ago, but now clicking on an image opens the image as a new file instead of showing it inside the LB. All browsers are affected (tested with Firefox, Chrome, Vivaldi, Safari).

URL of Page exhibiting problem : https://amaryan.fr/2021/09/28/illustration-des-ecailles-en-septembre/

• Host : Infomaniak, curl module is enabled for PHP (as suggested from https://wordpress.org/support/topic/plugin-stopped-working-223/)
• PHP version : 7.4
• SLB version : 2.8.1
• Wordpress version : 5.8.1

However, the plugin is working correctly on a local copy with a PHP server running locally through MAMP. On the server side, no error is displayed in the PHP logs, so I don't have any clue how to debug this.

[jinlarse]

I have talked my domene provider and they said cURL support is integrated in PHP with them.

The problem must be something else. I see that the plugin has not been updated since March 2020. Maybe the plugin uses e.g. a separate list of root certificates that contain the expired X3 certificate for Let's Encrypt certificates? In this case, the plugin must make sure that it avoids it when using the curl libraries.

[BenTalagan]

Actually, this was exactly my guess too ! That would explain why things are working locally over http and not in production. Already been having a lot of problems on other projects since let's encrypt root certificate expiration last week.

[BenTalagan]

More info on this :

https://wp-kama.com/note/error-making-request-wordpress

[BenTalagan]

More info : editing the wp-includes/certificates/ca-bundle.crt file and replacing the old DST Root CA X3 certificate with the new ISRG Root X1 fixes the problem (for me) :

## DST Root CA X3
## ==============
## -----BEGIN CERTIFICATE-----
## MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/MSQwIgYDVQQK
## ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X
## DTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVowPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1
## cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQAD
## ggEPADCCAQoCggEBAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmT
## rE4Orz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEqOLl5CjH9
## UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9bxiqKqy69cK3FCxolkHRy
## xXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40d
## utolucbY38EVAjqr2m7xPi71XAicPNaDaeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0T
## AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQ
## MA0GCSqGSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69ikug
## dB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXrAvHRAosZy5Q6XkjE
## GB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZzR8srzJmwN0jP41ZL9c8PDHIyh8bw
## RLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubS
## fZGL+T0yjWW06XyxV3bqxbYoOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
## -----END CERTIFICATE-----

ISRG Root X1
============
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

So it's probable that those certificates will be updated with the next release of wordpress. The fix above should only be temporary until then.

[tuxfamily]

Changing the certificate was not working for me (Wordpress 4).

The solution was to disable SSL verification with a hook.

function https_no_ssl_verify($ssl_verify, $url = null) {
    return false;
}

add_filter('https_ssl_verify', 'https_no_ssl_verify', 10, 2);

[archetyped]

I have talked my domene provider and they said cURL support is integrated in PHP with them.

@jinlarse As noted in SLB's Requirements, simply having cURL enabled for PHP may not be enough. An important (and often missed) configuration detail is enabling cURL for local requests, which some hosts disable by default (or when performing server maintenance). This configuration detail is often not looked into by hosting support staff, as most users with this issue have had the issue resolved by following up with the hosting provider to escalate their issue to someone more familiar with these settings.

Maybe the plugin uses e.g. a separate list of root certificates that contain the expired X3 certificate for Let's Encrypt certificates? In this case, the plugin must make sure that it avoids it when using the curl libraries.

SLB uses WordPress' own built-in functionality for retrieving the lightbox's layout (the issue causing the lightbox not to open in this ticket). This means that any certificate-related operations are handled by WordPress itself. If an expired root certificate is the cause of the issue of the on your site, then reporting the issue to WordPress directly is recommended so that it can be fixed for all such operations on your site.

In the meantime, a workaround such as the one described in the article on expired certificates shared by @BenTalagan may be a solution.

Please let me know if you are still experiencing an issue once cURL has been enabled for local requests and any expired certificates have been replaced on your site and I would be glad to take another look.

[BenTalagan]

Looks like things are in the pipe on Wordpress's side :

https://core.trac.wordpress.org/ticket/54207 https://github.com/WordPress/WordPress/commit/b5f1eb9103bb3ecfda699a94df49f0df5de6c9bb

The thing to note is that it seems this bug will only affect installations where curl uses a 1.0.x install of openssl, not a 1.1.x one. As I understand it, it is due to the fact that openssl changed its way to validate trusted certificate chains, and whereas openssl 1.1.x would tolerate having a potentially expired chain if another good one were found, 1.0.x would be less tolerant.

[BenTalagan]

@tuxfamily : as stated by @nylen, the fix that I've proposed above may not be sufficient when the server uses an openssl 1.0.x version AND the server's system uses a certificate bundle that still contains the old DST Root CA X3 certificate. This is probably why even after patching the bundle shipped with wordpress, you still encounter a problem. For details, you can visit the github page of a plugin he's developed to automate the handling of all aspects of the problem we've mentioned before (including the insecure patch you've proposed, which can be enabled but only for a few minutes) :

https://github.com/ClassicPress-research/cp-ssl-fix

As stated in the very clear presentation page, you should focus on updating your web server openssl version if possible, or the web server certificate bundle. Because even after updating to a more recent version of wordpress, your system (openssl 1.0.x + deprecated certificate bundle) may still prevent you to perform those external requests.

[archetyped]

Closing this as the issue causing this in WordPress' core appears to have been resolved. If you are still experiencing this issue, updating WordPress is recommended.